简述
Mogdb在1.1.0版本引入动态脱敏(Dynamic Data Masking),通过2个版本的迭代,目前已经日趋完善,该功能通过定制化制定脱敏策略从而实现对隐私数据保护的一种技术,可以有效地不更改业务SQL的前提下,解决非授权用户对敏感信息的访问问题。当管理员指定待脱敏对象(LABEL)和定制数据脱敏策略(POLICY)后,用户所查询的数据库资源如果关联到对应的脱敏策略时,则会根据用户身份和脱敏策略进行数据脱敏,从而限制非授权用户对隐私数据的访问。
测试
参数配置
gsql -c "show enable_security_policy ;"
gs_guc reload -I all -N all -c "enable_security_policy=on"
gsql -c "show enable_security_policy ;"创建测试表
--创建测试表
create table t_mask (
id int primary key,
name varchar(20),
creditcard varchar(20),
order_id int,
address varchar(50),
email varchar(50));
--插入测试数据
insert into t_mask values(1,'钱一','1111-2222-3333-4444',04153211,'huoyue Mansion, No. 98, 1st Fuhua Street','qianyi@enmotech.com');
insert into t_mask values(2,'赵二','4444-5555-6666-7777',04153212,'huoyue Mansion, No. 98, 2st Fuhua Street','zhaoer@enmotech.com');
insert into t_mask values(3,'张三','7777-8888-9999-0000',04153213,'huoyue Mansion, No. 98, 3st Fuhua Street','zhangsan@enmotech.com');
insert into t_mask values(4,'李四','0000-1111-2222-3333',04153214,'huoyue Mansion, No. 98, 4st Fuhua Street','lisi@enmotech.com');
insert into t_mask values(5,'王五','4444-5555-6666-7777',04153215,'huoyue Mansion, No. 98, 4st Fuhua Street','wangwu@enmotech.com');
insert into t_mask values(6,'贾六','7777-8888-9999-0000',04153216,'huoyue Mansion, No. 98, 4st Fuhua Street','jialiu@enmotech.com');
select * from t_mask;
--创建测试用户
create user u_mask with password 'Mask@1234';
grant select on t_mask to u_mask;创建脱敏资源标签
脱敏标签定义了一组数据对象的集合,指定了对哪些敏感数据表的列数据需要进行动态脱敏。
--创建对应策略的透明标签
create resource label label_creditcardmasking add column(t_mask.creditcard);
create resource label label_basicemailmasking add column(t_mask.email);
create resource label label_fullemailmasking add column(t_mask.email);
create resource label label_alldigitsmasking add column(t_mask.address);
create resource label label_shufflemasking add column(t_mask.address);
create resource label label_randommasking add column(t_mask.address);
create resource label label_maskall add column(t_mask.order_id);创建脱敏策略
脱敏策略通过识别资源标签定义的数据对象,匹配不同的透明策略,为指定的用户(可进行来源限定)进行数据脱敏操作
透明策略说明
脱敏函数名 | 示例及注意事项 |
creditcardmasking | ‘4880-9898-4545-2525’ 将会被脱敏为 ‘xxxx-xxxx-xxxx-2525’,该函数仅对后4位之前的数字进行脱敏 |
basicemailmasking | ‘abcd@gmail.com’ 将会被脱敏为 ‘xxxx@gmail.com’, 对出现第一个’@'之前的文本进行脱敏 |
fullemailmasking | ‘abcd@gmail.com’ 将会被脱敏为 ‘xxxx@xxxxx.com’,对出现最后一个’.‘之前的文本(除’@'符外)进行脱敏 |
alldigitsmasking | ‘alex123alex’ 将会被脱敏为 ‘alex000alex’, 仅对文本中的数字进行脱敏 |
shufflemasking | ‘hello word’ 将会被随机打乱顺序脱敏为 ‘hlwoeor dl’, 该函数通过字符乱序排列的方式实现,属于弱脱敏函数,语义较强的字符串不建议使用该函数脱敏 |
randommasking | ‘hello word’ 将会被脱敏为 ‘ad5f5ghdf5’,将文本按字符随机脱敏 |
maskall | ‘4880-9898-4545-2525’ 将会被脱敏为 ‘xxxxxxxxxxxxxxxxxxx’ |
脱敏策略适用数据类型
脱敏函数名 | 支持的数据类型 |
creditcardmasking | BPCHAR, VARCHAR, NVARCHAR, TEXT(注:仅针对信用卡格式的文本类数据) |
basicemailmasking | BPCHAR, VARCHAR, NVARCHAR, TEXT(注:仅针对email格式的文本类型数据) |
fullemailmasking | BPCHAR, VARCHAR, NVARCHAR, TEXT(注:仅针对email格式的文本类型数据) |
alldigitsmasking | BPCHAR, VARCHAR, NVARCHAR, TEXT(注:仅针对包含数字的文本类型数据) |
shufflemasking | BPCHAR, VARCHAR, NVARCHAR, TEXT(注:仅针对文本类型数据) |
randommasking | BPCHAR, VARCHAR, NVARCHAR, TEXT(注:仅针对文本类型数据) |
maskall | BOOL, RELTIME, TIME, TIMETZ, INTERVAL, TIMESTAMP, TIMESTAMPTZ, SMALLDATETIME, ABSTIME,TEXT, BPCHAR, VARCHAR, NVARCHAR2, NAME, INT8, INT4, INT2, INT1, NUMRIC, FLOAT4, FLOAT8, CASH |
创建策略
--创建creditcardmasking脱敏策略
create resource label label_creditcardmasking add column(t_mask.creditcard);
create masking policy mask_creditcardmasking creditcardmasking on label(label_creditcardmasking) filter on roles('u_mask');
select id,name,creditcard from t_mask;
auxdb=> select id,name,creditcard from t_mask;
id | name | creditcard
----+------+---------------------
1 | 钱一 | xxxx-xxxx-xxxx-4444
2 | 赵二 | xxxx-xxxx-xxxx-7777
3 | 张三 | xxxx-xxxx-xxxx-0000
4 | 李四 | xxxx-xxxx-xxxx-3333
5 | 王五 | xxxx-xxxx-xxxx-7777
6 | 贾六 | xxxx-xxxx-xxxx-0000
(6 rows)
--创建basicemailmasking脱敏策略
create resource label label_basicemailmasking add column(t_mask.email);
create masking policy mask_basicemailmasking basicemailmasking on label(label_basicemailmasking) filter on roles('u_mask');
select id,name,email from t_mask;
id | name | email
----+------+-----------------------
1 | 钱一 | xxxxxx@enmotech.com
2 | 赵二 | xxxxxx@enmotech.com
3 | 张三 | xxxxxxxx@enmotech.com
4 | 李四 | xxxx@enmotech.com
5 | 王五 | xxxxxx@enmotech.com
6 | 贾六 | xxxxxx@enmotech.com
(6 rows)
--创建fullemailmasking脱敏策略
drop masking policy mask_basicemailmasking;
drop resource label label_basicemailmasking;
create resource label label_fullemailmasking add column(t_mask.email);
create masking policy mask_fullemailmasking fullemailmasking on label(label_fullemailmasking) filter on roles('u_mask');
select id,name,email from t_mask;
auxdb=> select id,name,email from t_mask;
id | name | email
----+------+-----------------------
1 | 钱一 | xxxxxx@xxxxxxxx.com
2 | 赵二 | xxxxxx@xxxxxxxx.com
3 | 张三 | xxxxxxxx@xxxxxxxx.com
4 | 李四 | xxxx@xxxxxxxx.com
5 | 王五 | xxxxxx@xxxxxxxx.com
6 | 贾六 | xxxxxx@xxxxxxxx.com
(6 rows)
--创建alldigitsmasking脱敏策略
create resource label label_alldigitsmasking add column(t_mask.address);
create masking policy mask_alldigitsmasking alldigitsmasking on label(label_alldigitsmasking) filter on roles('u_mask');
select id,name,address from t_mask;
auxdb=> select id,name,address from t_mask;
id | name | address
----+------+------------------------------------------
1 | 钱一 | huoyue Mansion, No. 00, 0st Fuhua Street
2 | 赵二 | huoyue Mansion, No. 00, 0st Fuhua Street
3 | 张三 | huoyue Mansion, No. 00, 0st Fuhua Street
4 | 李四 | huoyue Mansion, No. 00, 0st Fuhua Street
5 | 王五 | huoyue Mansion, No. 00, 0st Fuhua Street
6 | 贾六 | huoyue Mansion, No. 00, 0st Fuhua Street
(6 rows)
--创建shufflemasking脱敏策略
drop masking policy mask_alldigitsmasking;
drop resource label label_alldigitsmasking ;
create resource label label_shufflemasking add column(t_mask.address);
create masking policy mask_shufflemasking shufflemasking on label(label_shufflemasking) filter on roles('u_mask');
select id,name,address from t_mask;
auxdb=> select id,name,address from t_mask;
id | name | address
----+------+------------------------------------------
1 | 钱一 | trh. aa oSu1sF,u9io yhnutMenNt 8e ue,os
2 | 赵二 | as F2 Mt8uh9huNeaS,o,tnirus etn.o yuoe
3 | 张三 | .nht8 MNroyotu te,uise, SaFa 9 eu3nhous
4 | 李四 | shneNhyt, otrsMu. u9,net4 a8oeao i Fuu S
5 | 王五 | eouenoN SM,4F89ht uar yut.tsiasenu,oh
6 | 贾六 | ao F,er9o,s hsnntae 8N y4Suehtutu.i oMu
(6 rows)
--创建randommasking脱敏策略
drop masking policy mask_shufflemasking;
drop resource label label_shufflemasking;
create resource label label_randommasking add column(t_mask.address);
create masking policy mask_randommasking randommasking on label(label_randommasking) filter on roles('u_mask');
auxdb=> select id,name,address from t_mask;
id | name | address
----+------+----------------------------------
1 | 钱一 | b8236f85fdc76cc61d027f8777bb9eea
2 | 赵二 | ebdf57a682b57488aace0a2368aaad17
3 | 张三 | b8a516495f318ce985afd73e690e743f
4 | 李四 | a00815828de1c4d7e6ed3194c57b18a9
5 | 王五 | 89b0bb94753f84e3922c9a90c3759e9c
6 | 贾六 | bafd3c97fa07ab621a573261f54e3190
(6 rows)
--创建maskall脱敏策略
create resource label label_maskall add column(t_mask.order_id);
create masking policy mask_maskall maskall on label(label_maskall) filter on roles('u_mask');
select id,name,order_id from t_mask;
auxdb=> select id,name,order_id from t_mask;
id | name | order_id
----+------+----------
1 | 钱一 | 0
2 | 赵二 | 0
3 | 张三 | 0
4 | 李四 | 0
5 | 王五 | 0
6 | 贾六 | 0
(6 rows)脱敏数据导出测试
部分特殊场景下会要求对导出的数据进行脱敏,使用两种常见的逻辑导出工具测试脱敏数据相关适配
copy测试
--导出测试
\copy (select * from t_mask) to '/tmp/t_mask.csv';
[sysomm@db1 ~]$ cat /tmp/t_mask.csv
1 钱一 xxxx-xxxx-xxxx-4444 0 3245efe605986b499eefc7dc3ea46c52 xxxxxx@xxxxxxxx.com
2 赵二 xxxx-xxxx-xxxx-7777 0 98e3033052a1b808477949839faf7cda xxxxxx@xxxxxxxx.com
3 张三 xxxx-xxxx-xxxx-0000 0 134b5ddb780244aa4e3918a89ca22349 xxxxxxxx@xxxxxxxx.com
4 李四 xxxx-xxxx-xxxx-3333 0 5ca28dbfe128adc34907aa7ae05af2d0 xxxx@xxxxxxxx.com
5 王五 xxxx-xxxx-xxxx-7777 0 3d03aa6301c79882b7ffcb811d453bdf xxxxxx@xxxxxxxx.com
6 贾六 xxxx-xxxx-xxxx-0000 0 e7a9aa83d79db1899e5c952e45c270b2 xxxxxx@xxxxxxxx.com
--导入测试
create table t_mask_copy as select * from t_mask where 1=0;
\copy t_mask_copy from '/tmp/t_mask.csv';
select * from t_mask_copy;gs_dump测试
--导出测试
gs_dump -U u_mask -f /tmp/t_mask.dmp -p 26000 -t t_mask -F c auxdb
gs_dump -U u_mask -f /tmp/t_mask_text.dmp -p 26000 -t t_mask -F p auxdb
Mask@1234
cat /tmp/t_mask_text.dmp
--导入测试
drop table t_mask;
gs_restore /tmp/t_mask.dmp -p 26000 -d auxdb
select * from t_mask;
id | name | creditcard | order_id | address | email
----+------+---------------------+----------+----------------------------------+-----------------------
1 | 钱一 | xxxx-xxxx-xxxx-4444 | 0 | ddc3af31ebb8a96f404089e1e6b2ca83 | xxxxxx@xxxxxxxx.com
2 | 赵二 | xxxx-xxxx-xxxx-7777 | 0 | ed48fbaa518f639c0333b9b16426de58 | xxxxxx@xxxxxxxx.com
3 | 张三 | xxxx-xxxx-xxxx-0000 | 0 | 305e4959adb6098dde666e79cf7b4145 | xxxxxxxx@xxxxxxxx.com
4 | 李四 | xxxx-xxxx-xxxx-3333 | 0 | d0bd3411641dd61839f7486061b6aa3a | xxxx@xxxxxxxx.com
5 | 王五 | xxxx-xxxx-xxxx-7777 | 0 | 4a2b62f01e8f3899584b1603de1a1d60 | xxxxxx@xxxxxxxx.com
6 | 贾六 | xxxx-xxxx-xxxx-0000 | 0 | c8a7c55920acea7bf8ddc134575b67e8 | xxxxxx@xxxxxxxx.com
(6 rows)相关数据字典
-- 查询脱敏策略
select * from gs_masking_policy;
drop masking policy xxx
select 'drop masking policy ' || polname || ';' from gs_masking_policy;
-- 查询策略label
select * from gs_policy_label;
drop resource label xxx
select 'drop resource label ' || labelname || ';' from gs_policy_label;
-- 查询策略Filter
select * from gs_masking_policy_filters;
